|
|
@@ -6201,6 +6201,52 @@ public class CsrfController {
|
|
|
It is important to keep the `CsrfToken` a secret from other domains.
|
|
|
This means if you are using https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS[Cross Origin Sharing (CORS)], you should **NOT** expose the `CsrfToken` to any external domains.
|
|
|
|
|
|
+[[data]]
|
|
|
+= Spring Data Integration
|
|
|
+
|
|
|
+Spring Security provides Spring Data integration that allows referring to the current user within your queries.
|
|
|
+It is not only useful but necessary to include the user in the queries to support paged results since filtering the results afterwards would not scale.
|
|
|
+
|
|
|
+[[data-configuration]]
|
|
|
+== Spring Data & Spring Security Configuration
|
|
|
+
|
|
|
+To use this support, provide a bean of type `SecurityEvaluationContextExtension`.
|
|
|
+In Java Configuration, this would look like:
|
|
|
+
|
|
|
+[source,java]
|
|
|
+----
|
|
|
+@Bean
|
|
|
+public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
|
|
|
+ return new SecurityEvaluationContextExtension();
|
|
|
+}
|
|
|
+----
|
|
|
+
|
|
|
+In XML Configuration, this would look like:
|
|
|
+
|
|
|
+[source,xml]
|
|
|
+----
|
|
|
+<bean class="org.springframework.security.data.repository.query.SecurityEvaluationContextExtension"/>
|
|
|
+----
|
|
|
+
|
|
|
+[[data-query]]
|
|
|
+== Security Expressions within @Query
|
|
|
+
|
|
|
+Now Spring Security can be used within your queries.
|
|
|
+For example:
|
|
|
+
|
|
|
+[source,java]
|
|
|
+----
|
|
|
+@Repository
|
|
|
+public interface MessageRepository extends PagingAndSortingRepository<Message,Long> {
|
|
|
+ @Query("select m from Message m where m.to.id = ?#{ principal?.id }")
|
|
|
+ Page<Message> findInbox(Pageable pageable);
|
|
|
+}
|
|
|
+----
|
|
|
+
|
|
|
+This checks to see if the `Authentication.getPrincipal().getId()` is equal to the recipient of the `Message`.
|
|
|
+Note that this example assumes you have customized the principal to be an Object that has an id property.
|
|
|
+By exposing the `SecurityEvaluationContextExtension` bean, all of the <<common-expressions,Common Security Expressions>> are available within the Query.
|
|
|
+
|
|
|
= Appendix
|
|
|
|
|
|
[[appendix-schema]]
|
Rob Winch